cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2389
Views
0
Helpful
3
Replies
michelbijnsdorp
Beginner

SSID usage in ISE policy in sponsor portal

Hi,

In the default sponsor portal view there is a SSID: option which can be filled for the configured SSID.

Based on which a sponsor portal user select for this SSID fields allows the user to be connected to.

In the ISE policy options I did not found a attribute field that correspond with the SSID option in the sponsor portal view.

question1: Is there a attribute field in one of many ISE policy / condition option fields or is this SSID filed just for user reference if the sponsor portal credentials are send to the user in email/hard copy?

question2: what is the relation in the Guest Access->Settings->Custom Fields->Custom Field Name : eg. choose SSID  and the Guest attributes (Optional Data1, Optional Data2 etc ) fields that can be used in a ISE policy / Condition?  Can the Custom Field Name in the Guest Acces menu be used for building ISE policy/conditions

Hopefully my topic makes any sense and if you need some more information please do not hesitate to respond.

With kind regards,

Michel Bijnsdorp

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

A similar question was asked just recently gvanbon I believe

Its a great question, the SSID in the guest notification is there as a label for easy communication only. Its not called out in an authorization rule as an attribute.

use case - I am a sponsor and I send an email with the SSID you should be connecting to. There are multiple SSIDs at the site. No there is no way to grab that and pass along to Authorization rules/policy. Suggest you get this over to the ISE-PM mailer internally to ask for an enhancement. Otherwise this would be some advanced customization where you monitor ISE MNT syslog generation and do some sort of attribute mapping in perhaps external ODBC database.

I think this could be done indirectly using Guest Types. This will make more difficult and not as dynamic as you would like but what about having different Guest_types allowed against different SSID?

Authz rule > If Wireless_MAB and SSIDX (CalledStationID and GuestTypeX then permit access

otherwise redirect to a hotspot as a message portal saying you are not authorized to connect to this SSID?

Re: Support Information button in place of link?

See regex examples here:

ISE Policies Based on SSID Configuration Examples - Cisco

Some example of matching SSID using Radius Called Station ID

https://supportforums.cisco.com/sites/default/files/ise_location-based_web_portals-v2.pdf

View solution in original post

3 REPLIES 3
Jason Kunst
Cisco Employee

A similar question was asked just recently gvanbon I believe

Its a great question, the SSID in the guest notification is there as a label for easy communication only. Its not called out in an authorization rule as an attribute.

use case - I am a sponsor and I send an email with the SSID you should be connecting to. There are multiple SSIDs at the site. No there is no way to grab that and pass along to Authorization rules/policy. Suggest you get this over to the ISE-PM mailer internally to ask for an enhancement. Otherwise this would be some advanced customization where you monitor ISE MNT syslog generation and do some sort of attribute mapping in perhaps external ODBC database.

I think this could be done indirectly using Guest Types. This will make more difficult and not as dynamic as you would like but what about having different Guest_types allowed against different SSID?

Authz rule > If Wireless_MAB and SSIDX (CalledStationID and GuestTypeX then permit access

otherwise redirect to a hotspot as a message portal saying you are not authorized to connect to this SSID?

Re: Support Information button in place of link?

See regex examples here:

ISE Policies Based on SSID Configuration Examples - Cisco

Some example of matching SSID using Radius Called Station ID

https://supportforums.cisco.com/sites/default/files/ise_location-based_web_portals-v2.pdf

View solution in original post

Hi Jason,

I'm indeed the originator of the question that in the first place was send to Gerard van Bon (gvanbon).

But can you also provide an answer of the second part of the use-case?

question2: what is the relation in the Guest Access->Settings->Custom Fields->Custom Field Name : eg. choose SSID  and the Guest attributes (Optional Data1, Optional Data2 etc ) fields that can be used in a ISE policy / Condition?  Can the Custom Field Name in the Guest Acces menu be used for building ISE policy/conditions? Or what is the function of these Custom Field Name attributes and where can I retrieve the data that a user has filled in. ?

Kind regards Michel.

These fields cannot be used in the authorization policy

You can however utilize them under the master guest report.

Content for Community-Ad